Firewall for controlling data transfers between networks based on embedded tags in content description language
Toga May 25, 2
Patent Grant 6742040
U.S. patent number 6,742,040 [Application Number 09/497,886] was granted by the patent office on 2004-05-25 for firewall for controlling data transfers between networks based on embedded tags in content description language. This patent grant is currently assigned to Intel Corporation. Invention is credited to James E. Toga.
| United States Patent | 6,742,040 |
| Toga | May 25, 2004 |
| **Please see images for: ( Certificate of Correction ) ** |
Firewall for controlling data transfers between networks based on embedded tags in content description language
Abstract
A method of controlling data transfer between a first and a second computer network comprises parsing content description language received from the first computer network to determine tag information with the content description language. A completion decision is made based on the tag information. For one embodiment, the completion decision may include any of the following: full data transfer between the two network, partial data transfer between the two network, a deferred data transfer at a later time, or a cached data transfer. Restrictions based upon a user's age, a user's access right, cost, system resources, and time of day may also be employed to limit the transfer of data based upon the tag information.
| Inventors: | Toga; James E. (Portland, OR) |
|---|---|
| Assignee: | Intel Corporation (Santa Clara,
CA) |
| Family ID: | 25098778 |
| Appl. No.: | 09/497,886 |
| Filed: | February 4, 2000 |
Related U.S. Patent Documents
| Application Number | Filing Date | Patent Number | Issue Date | ||
|---|---|---|---|---|---|
| 773602 | Dec 27, 1996 | 6041355 | |||
| Current U.S. Class: | 709/229; 707/E17.109; 707/999.009 |
| Current CPC Class: | H04L 63/0245 (20130101); G06F 16/9535 (20190101); Y10S 707/99939 (20130101); H04L 69/329 (20130101) |
| Current International Class: | G06F 17/30 (20060101); H04L 29/06 (20060101); H04L 29/08 (20060101); G06F 015/16 (); G06F 017/30 () |
| Field of Search: | ;714/37 ;707/104.1,9 ;709/227,203,224,229,225 |
References Cited [Referenced By]
U.S. Patent Documents
| 5550984 | August 1996 | Gelb |
| 5623601 | April 1997 | Vu |
| 5678041 | October 1997 | Baker et al. |
| 5699513 | December 1997 | Feigen et al. |
| 5706507 | January 1998 | Schloss |
| 5727129 | March 1998 | Barrett et al. |
| 5727159 | March 1998 | Kikinis |
| 5752242 | May 1998 | Havens |
| 5767893 | June 1998 | Chen et al. |
| 5774664 | June 1998 | Hidary et al. |
| 5778174 | July 1998 | Cain |
| 5826267 | October 1998 | McMillan |
| 5832212 | November 1998 | Cragun et al. |
| 5867651 | February 1999 | Dan et al. |
| 5878231 | March 1999 | Baehr et al. |
| 5898830 | April 1999 | Wesinger, Jr. et al. |
| 5905872 | May 1999 | DeSimone et al. |
| 6138142 | October 2000 | Linsk |
| 6144990 | November 2000 | Brandt et al. |
| 6173322 | January 2001 | Hu |
Other References
|
Graham, Ian S., HTML Source Book, Second Edition, A Complete Guide to HTML 3.0, Wiley Computer Publishing, John Wiley & Sons, Inc. New York, Chichester, Brisbane, Toronto, Singapore .COPYRGT. 1996, Table Of Contents, Chapter 3--pp. 91-123; Chapter 6--pp. 351-375; Chapter 7--pp. 377-417; Chapter 8--pp. 450. . Comer, Douglas, E., Internetworking With TCP/IP, Vol 1: Principles, Protocols, and Architecture, Fourth Edition, Prentice Hall, Inc., Upper Saddle River, New Jersey, 07458, .COPYRGT.2000, 1995 Prentice Hall, pp. 150-154.. |
Primary Examiner: Wiley; David
Assistant Examiner: Delgado; Michael
Attorney, Agent or Firm: Blakely, Sokoloff, Taylor & Zafman LLP
Parent Case Text
This is a Continuation of application Ser. No. 08/773,602, filed Dec. 27, 1996, now U.S. Pat. No. 6,041,355.
Claims
What is claimed is:
1. A method of controlling transfer of data between a first network of computers and a second network of computers, the method comprising: parsing content description language received from the first network of computers; determining tag information within the parsed content description language, said tag information including information available to the second network of computers; and making a completion decision by the second network of computers as to whether to allow the transfer of data based on the tag information available to the second network of computers.
2. The method of claim 1 wherein the completion decision determines whether the transfer is allowed to occur.
3. The method of claim 1 wherein the completion decision determines whether only a partial transfer is allowed to occur.
4. The method of claim 3 wherein text but not pictures are allowed to be transferred.
5. The method of claim 1 wherein the completion decision is based upon a resource constraint of the second network of computers.
6. The method of claim 1 wherein the content description language is HTML.
7. The method of claim 1 wherein the tag information includes a pricetag for the transfer of data, and wherein the completion decision is based upon the pricetag for the transfer of data.
8. A method of controlling transfer of data between a first network of computers and a second network of computers, the method comprising: parsing content description language data received from the first network of computers to determine tag information indicating a pricetag for subsequent transfers of said content description language data to the second network of computers; and allowing the subsequent transfers of the content description language data to the second network of computers if the pricetag is below a predetermined spending limit.
9. The method of claim 8 wherein a user connected to the second network of computers requests the subsequent transfers of content description language data and the predetermined spending limit is associated with the user.
10. A method of controlling transfer of data between a first network of computers and a second network of computers, the method comprising: parsing content description language data received from the first network of computers to determine tag information indicating a size of subsequent transfers of said content description language data to the second network of computers; and disallowing the subsequent transfers of the content description language data to the second network of computers if the size of the subsequent transfers of content description language data interferes with resource constraints of the second network of computers.
11. The method of claim 10 wherein disallowing the subsequent transfers of the content description language data is also based upon time of day restrictions.
12. The method of claim 10 wherein the tag information indicates that the subsequent transfers of content description language data are entertainment-based.
13. A method of controlling transfer of data between a first network of computers and a second network of computers, the method comprising: parsing content description language data received from the first network of computers to determine tag information about subsequent transfers of said content description language data to the second network of computers; and disallowing the subsequent transfers of the content description language data to the second network of computers based upon a time of day restriction specified by the tag information.
14. The method of claim 13 wherein the tag information about subsequent transfers indicates that the subsequent transfers of content description language data are entertainment-based.
15. A method of controlling transfer of data between a first network of computers and a second network of computers, the method comprising: parsing content description language data received from the first network of computers to determine tag information about subsequent transfers of said content description language data to the second network of computers; and disallowing the subsequent transfers of the content description language data to the second network of computers based upon age restrictions of a requestor of the content description language data from the second network of computers, wherein the age restrictions are specified by the tag information.
16. The method of claim 1 wherein the completion decision allows a transfer to be deferred until a later time.
17. The method of claim 1 wherein the completion decision allows a transfer to be cached.
18. The method of claim 17 wherein the caching is based on tag information.
19. The method of claim 8 further comprising: subtracting the pricetag from a budget amount attributed to a user that requested the subsequent transfers of the content description language data.
20. A method, comprising: examining content description language tags embedded within data from a first computer network and criteria from a second computer network, wherein the examination occurs on a proxy server; comparing the content description language tags embedded within the data and the criteria, wherein the comparison occurs on the proxy server; controlling whether the transfer of data from the first computer network to the second computer network is allowed based on a completion decision resulting from the comparison of the content description language tags embedded within the data and the criteria, wherein the completion decision occurs on the proxy server.
21. The method of claim 20 wherein examining data from the first computer network further comprises examining data from a cache.
22. The method of claim 20 wherein examining criteria from the second computer network further comprises examining criteria from a cache.
23. The method of claim 20 wherein comparing the data and the criteria further comprises examining data and criteria from a cache.
24. The method of claim 20 wherein examining data from the first computer network further comprises examining data from a database.
25. The method of claim 24 wherein examining data from a database further comprises examining data from a cached database.
26. The method of claim 20 wherein examining criteria from the second computer network further comprises examining criteria from a database.
27. The method of claim 26 wherein examining criteria from a database further comprises examining criteria from a cached database.
28. The method of claim 20 wherein examining data from the first computer network further comprises examining a content description language tag.
29. The method of claim 20 wherein examining criteria from the second computer network further comprises examining an acceptance content description language tag.
30. The method of claim 20 wherein comparing the data and the criteria further comprises comparing a content descriptor and an acceptance content description language tag.
31. The method of claim 20 wherein comparing the data and the criteria further comprises comparing a content descriptor and an acceptance content description language tag.
32. The method of claim 20 wherein the completion decision further comprises a content descriptor being within a set of an acceptance content description language tag.
33. An apparatus, comprising: means for examining content description language tags embedded within data from a first computer network and criteria from a second computer network, wherein the examination occurs on a proxy server; means for comparing the content description language tags embedded within the data and the criteria, wherein the comparison occurs on the proxy server; means for controlling whether the transfer of data from the first computer network to the second computer network is allowed based on a completion decision resulting from the comparison of the content description language tags embedded within the data and the criteria, wherein the completion decision occurs on the proxy server.
34. The apparatus of claim 33, wherein the means for examining data further comprises means for parsing data to obtain tag information.
35. The apparatus of claim 34, wherein the means for means for comparing the data and the criteria further comprises means for comparing the tag information and the criteria.
36. The apparatus of claim 33, wherein the means for examining criteria further comprises means for retrieving criteria from the second computer network database.
37. The apparatus of claim 33, wherein the means for comparing the data and the criteria further comprises means for comparing data from a cache and criteria from a cache.
38. An apparatus for controlling data transfers between a first computer network and a second computer network, the apparatus comprising: a proxy connected to the first computer network and the second computer network; criteria coupled to the proxy; and a parsing engine coupled to the second computer network and the proxy, such that the criteria and the parsing engine control the data transfers through the proxy by comparing the criteria to the data's content description language tags.
39. The apparatus according to claim 38, wherein the coupling of the criteria to the proxy is a database.
40. The apparatus according to claim 38, wherein the coupling of the criteria to the proxy is a cache.
41. The apparatus according to claim 38, wherein the coupling of the parsing engine to the proxy is a database.
42. The apparatus according to claim 41, wherein the database is a cache.
43. The apparatus according to claim 41, wherein said database is the result of the second computer network coupling to said parsing engine.
44. The apparatus according to claim 38, wherein the proxy comprises a computer.
Description
FIELD OF THE INVENTION
The present invention relates to the field of providing information over a network. More particularly, this invention relates to filtering data transferred between two networks based upon tags indicative of the content of the data.
BACKGROUND OF THE INVENTION
The World Wide Web (WWW) is a fully multimedia-enabled hypertext system used for navigating the Internet. WWW may cope with any type of data which may be stored on computers, and may be used with an Internet connection and a WWW browser. WWW is made up of millions of interconnected pages or documents which can be displayed on a computer or other interface to the WWW. Each page can have connections to other pages which may be stored on any computer connected to the Internet.
WWW is based on the concept of hypertext which is very similar to ordinary text, except that for hypertext, connections to other parts of the text or to other documents can be hidden behind words and phrases. The connections to these hypertext are referred to as hypertext links, and they allow the user to read the document in any order desired. WWW also utilizes hypermedia which allows links to connect to not only words but also with pictures, sounds and any other data files which can be stored on a computer.
More specifically, hypermedia is a method of connecting data files together regardless of their format. The hypermedia links held on a given WWW page describes the location of the document which a WWW browser should display by using a Uniform Resource Locator (URL). URLs enable WWW browsers to go directly to any file held on any WWW server. URL is a naming system, typically consisting of three parts, the transfer format (also known as the protocol type), the host name of the machine which holds the file (may also be referred to as the WWW server name) and the path name to the file. The transfer format for standard WWW pages is Hypertext Transfer Protocol (HTTP). Standard Internet naming conventions are utilized for the host name portion of the URL. UNIX* directory naming conventions are utilized to indicate the path name of the file.
A firewall is used to separate one network of computers from another. For example, a corporation that connects to the Internet and WWW may install a firewall to prevent users outside the corporation from accessing data stored on the computer network within the corporation. Additionally, the firewall can prevent users within the corporation from accessing data on the Internet and WWW.
For example, a firewall may be configured to allow certain machines to be reached and not others. The firewall may be further programmed to allow certain applications to pass through the firewall and to deny access to other applications. This provides a secure, but coarse level of access control for corporate Intranets.
A proxy sits on top of a firewall. A proxy looks at a higher level of the data transfer. It is typically a process that responds and acts on behalf of client requests. A proxy may be used to improve performance by caching data from previous retrievals. A proxy may look at the data requests from the users within the corporation and prevent requests from being sent out which have a particular keyword in the URL. This, for example, may be used to prevent the retrieval of sexually explicit material from the Internet by performing a search of the words of the URL in a dictionary having particular banned keywords.
SUMMARY OF THE INVENTION
A method of controlling data transfer between a first network and a second network of computers is described. Content description language received from the first network by the second network is parsed to determine tag information within the content description language. The second network of computers makes a completion decision as to whether to allow the transfer based on the tag information.
These and other advantages of the present invention are fully described in the following detailed description.
BRIEF DESCRIPTION OF THE DRAWINGS
FIG. 1 is a block diagram of a firewall separating a first network from a second network of computers.
FIG. 2 is an example indicating tags within content description language.
FIG. 3 shows a flowchart of the steps taken using the present invention.
DETAILED DESCRIPTION
A method of controlling data transfer between a first network and a second network of computers is described. Content description language, such as Hypertext Markup Language (HTML), received from the first network by the second network is parsed to determine tag information within the content description language. The second network of computers makes a completion decision as to whether to allow the transfer based on the tag information. The second network of computers may allow complete transfer or partial transfer of the data. The second network of computers may defer the transfer until a later time, or it may cache the transfer to allow its clients to access the data from this transfer without the need to retrieve the data a second time from the first network. Various other completion decisions based upon resource constraints, content based upon age, and pricetag of the content are possible.
FIG. 1 is a block diagram of a firewall separating a first network from a second network of computers. The first network, network A, is the internet 10 which includes the World Wide Web and its many web sites, such as web site 12.
Network A is coupled to Network B, which may be a corporate network of computers, for example. In one embodiment, Network B comprises a first filtering router 20, a web proxy 22, and a second filtering router 24. Network B may also host many other client computers 30 connected to its network.
The filtering router 20 is connected to the Internet 10. The filtering router 20 accepts only requests from the web proxy 22 for retrieving data from the internet 10. The filtering router 20 also only allows data received from the internet 10 to be provided to the web proxy 22.
Similarly, the filtering router 24 is connected to the client computers 30. The filtering router 24 accepts requests from the client computers 30 only directed to the web proxy 22. The filtering router 24 also only allows data from the web proxy 22 to be provided to the client computers 30.
The web proxy 22 sits between the filtering routers 20 and 24. Thus, the web proxy buffers the client computers 30 from accessing the internet 10 directly. The web proxy is able to monitor all data leaving network B and being retrieved from Network A.
In the prior art, the web proxy 22 receives a request via filtering router 24 from one of its clients to retrieve data from the internet. The web proxy requests the data from the internet which is allowed to pass through the filtering router 20. When the data is returned from the internet, the filtering router 20 allows the data to be provided to the web proxy 22. The web proxy then provides the data to the client 30 that requested the data.
In the present invention, the web proxy monitors the content description language that was returned from the internet. The web proxy looks at tags that indicate information about the content of the data, as will be described further with reference to FIG. 2. The web proxy then determines completion decisions as to whether to allow the transfer of data based upon the tag information. For example, the web proxy may allow complete transfer or partial transfer of the data. It may defer the transfer until a later time, or it may cache the transfer to allow its clients to access the data from this transfer without the need to retrieve the data a second time from the internet. Various other completion decisions based upon resource constraints, content based upon age, and pricetag of the content are possible, as will be described.
The web proxy 22 may be comprised of one or more computers. Additionally, web proxy 22 may comprise other proxies which communicate with the internet, such as mail proxies and ftp proxies. Web proxy 22 processes the requests for data from the client computers 30 and the data received from the internet 10.
FIG. 2 is an example indicating tags within content description language. The tags are used for displaying the data in an appropriate manner by the browser. Various multimedia abilities, such as adding sound and hypertext links are possible through the tags. Many tags are standardized so that all browsers will know how to interpret the tags. Some browsers include proprietary tags which improve the display of the content on their own browsers.
The present invention uses tags which can be used by the web proxy to determine whether to allow subsequent data transfers of content description language. The tags "cost", "embedded load", and "content" are examples of new tags added to implement the present intention.
Financial
In one embodiment of the invention, financial tags are included to indicate the cost of the content of the subsequent data transfers of content description language. For example, FIG. 2 includes the tag "cost." The cost can be expressed in dollars or in other units.
The web proxy is able to compare the cost of the content against a spending limit of the user that requested the data. If the cost of the content is higher than the spending limit, then the transfer will be denied. The spending limit in this case may be per access, or it may be a cumulative limit that is being exceeded.
Resource Constraints
In another embodiment, the tags indicate either the size or a rate of transfer of the subsequent data transfers of content description language. For example, FIG. 2 includes the tag "embedded load" that indicates a streaming rate of transfer of subsequent data transfers of content description language. During certain times of the day the Network B may disallow transfer of files over a specified size, or may prevent the transfer of streaming files greater than a specified rate of transfer. At other times of the day, these transfers will be allowed. These restrictions are often based upon resource constraints of the network during peak hours during which normal business over the Network B would become too slow without the restrictions.
Certain users, however, may be allowed access to files of any size or data transfer rate at any time of the day. The web proxy uses these access rights to appropriately determine completion actions whether to allow the transfer.
Miscellaneous Content Restrictions
Other predetermined tag information that can be used by the web proxy to make completion decisions include content restrictions based upon sexual or violent content. The web proxy includes information about the users on its client systems which allows the web proxy to determine whether certain users should be allowed to access the subsequent data transfers of content description language.
FIG. 3 shows a flowchart of the steps taken using the present invention. The flowchart starts at block 60 from which it continues at block 62. At block 62, content description language received from the first network of computers is parsed by the second network of computers to determine tag information within the content description language. Operation continues at block 64 at which a completion decision is made by the second network of computers as to whether to allow the transfer of data based on the tag information. The flowchart terminates at block 66.
The completion decision may be based upon various constraints of the networks and access rights of the requesting clients. These constraints may include, but is not limited to, financial constraints, resource constraints, age restrictions, user restrictions, and time of day restrictions.
In the foregoing specification, the invention has been described with reference to specific exemplary embodiments thereof. It will, however be evident that various modifications and changes may be made thereto without departing from the broader spirit and scope of the invention as set forth in the appended claims. The specification and drawings are, accordingly, to be regarded in an illustrative rather than a restrictive sense.
* * * * *
uspto.report is an independent third-party trademark research tool that is not affiliated, endorsed, or sponsored by the United States Patent and Trademark Office (USPTO) or any other governmental organization. The information provided by uspto.report is based on publicly available data at the time of writing and is intended for informational purposes only.
While we strive to provide accurate and up-to-date information, we do not guarantee the accuracy, completeness, reliability, or suitability of the information displayed on this site. The use of this site is at your own risk. Any reliance you place on such information is therefore strictly at your own risk.
All official trademark data, including owner information, should be verified by visiting the official USPTO website at www.uspto.gov. This site is not intended to replace professional legal advice and should not be used as a substitute for consulting with a legal professional who is knowledgeable about trademark law.
| 